Share this post

Link to post

Share on other sites

I don't think this is the Damage ransomware. Based on what ID Ransomware returned, I think it's Cry36 (the sample bytes is an almost certain way to identify it), and there's no way to decrypt files that have been encrypted by Cry36 without getting the private key from the criminals who made the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Share this post

Link to post

Share on other sites

Thanks for the reply. Unfortunately, I formatted the PC, so I can't recover the Volume Shadow Copies. I tried to contact the criminals, but I didn't get answer. I understand that a private key is necessary to decrypt the files, but is not possible to develop a tool to try keys by brute force? Even if it need days or weeks. Maybe I missing something, but I'd like to try to understand and find a solution. It's all my life encrypted.

Those already exist (although I won't name them here, since they're general password/decryption key brute forcing tools). There's no point in it though. You're talking hundreds if not thousands of years to brute force the decryption key (depending on the key length), even using the most powerful super computers available today.

My GTX 1080 Ti would take a decade to brute force a 10-character password, even running at its maximum stable clock speed. Even a 128-bit key would be out of the question with 4-way SLI.